Summary
The current DROID project (droid-parent/pom.xml on main) pins Log4j at version 2.25.3:
<log4j2.version>2.25.3</log4j2.version>
This version is vulnerable to CVE-2026-34480 (CVSS 3.1: 7.5 HIGH).
The vulnerability
Apache Log4j Core's XmlLayout fails to sanitize characters forbidden by the XML 1.0 specification. When log messages or MDC (Mapped Diagnostic Context) values contain these characters:
- JRE built-in StAX parser — forbidden characters are silently written to the output, producing malformed XML. Conforming XML parsers reject the document with a fatal error, which can cause downstream log-processing systems to silently drop affected records (integrity impact).
- Alternative StAX implementations (e.g. Woodstox, a transitive dependency of the Jackson XML Dataformat module that DROID uses) — an exception is thrown during the logging call and the log event is never delivered to its intended appender; it only reaches Log4j's internal status logger, resulting in silent data loss.
Fix
Apache released Log4j 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Scope of change in DROID
Minimal — simply bump the property in droid-parent/pom.xml:
<log4j2.version>2.25.4</log4j2.version>
All Log4j module references (log4j-api, log4j-core, log4j-slf4j2-impl) use ${log4j2.version}, so a single property change propagates correctly to all sub-modules.
Suggested changelog entry
Upgrade Log4j from 2.25.3 to 2.25.4 (CVE-2026-34480). XmlLayout now sanitises XML 1.0 forbidden characters, preventing malformed XML output and silent log event loss.
References
Summary
The current DROID project (
droid-parent/pom.xmlonmain) pins Log4j at version 2.25.3:This version is vulnerable to CVE-2026-34480 (CVSS 3.1: 7.5 HIGH).
The vulnerability
Apache Log4j Core's
XmlLayoutfails to sanitize characters forbidden by the XML 1.0 specification. When log messages or MDC (Mapped Diagnostic Context) values contain these characters:Fix
Apache released Log4j 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Scope of change in DROID
Minimal — simply bump the property in
droid-parent/pom.xml:All Log4j module references (
log4j-api,log4j-core,log4j-slf4j2-impl) use${log4j2.version}, so a single property change propagates correctly to all sub-modules.Suggested changelog entry
References